Home
 Vendors
 Publications
 Ceritfications
 Associations
 IT Strategy Center
 Open Directory
 Other
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Threat Intelligence / Strategies

Stopping Leaks and Investigating Employees

By Courtney Macavinta

When Hewlett-Packard announced that Chairman Patricia Dunn was stepping down, it marked not the end but the beginning of an intense debate over internal investigation techniques used by companies to stop leaks of confidential or sensitive information.

In HP's case, the details are well known: Private investigators were apparently hired to determine the alleged source of leaks from the HP board to the media. Reportedly, the investigation firm went so far as to hire subcontractors who subsequently impersonated HP board members in an attempt to get access to their telephone records -- a practice dubbed pretexting. The revelation of the subcontractor's investigation tactics not only resulted in the resignation of Dunn but a U.S. Congressional subcommittee hearing.

The HP case has raised more than eyebrows. There is no question that insider leaks sometimes pose threats to an organization's reputation, products, and stock price. But now executives, lawmakers, and analysts are mulling best practices for how to limit leaks without unethically violating board members' or employees' privacy or the law. After all, the collection of information about people in the Internet-based global economy is subject to very different restrictions around the world. Couple this with the fact that regulations like Sarbanes-Oxley (SOX) have created new corporate accountability pressures that might spur more leak investigations than before.

"SOX has created a command and control culture on boards -- they are thinking that their responsibility has expanded," says Larry Ponemon, founder of the Ponemon Institute, which studies corporate governance issues. "The issue is that when you're in that culture and you hear about a leak, you immediately start to think: 'We can't allow that to occur. We have to respond at all costs.'"

But experts like Ponemon say it is possible for enterprise executives -- from the CIO to the CEO or CISO to the head of HR -- and boards to work together to strike a balance between managing liability, limiting confidentiality breaches, and ethically investigating alleged leaks. Here's what analysts advise:

1. Do resolve internal conflicts Mark Stahlman, a technology strategist for Gartner Invest, who has followed the HP story closely, says the heart of the problem was that the company's board was internally at odds. "A board that is divided is a far more serious problem than a leak," Stahlman says.  "The most important lesson for boards to learn is to try to resolve their own conflicts without resorting to these kinds of means. If the HP board members had been able to address all of the disagreements among them, none of this would have happened." And this doesn't just apply just to board members. Disgruntled employees sometimes leak confidential information or publicly air a company's dirty laundry online or in the press. The goal for management: Try to pinpoint and resolve conflicts before they lead to damaging leaks.

2. Do have an upfront policy about leak investigations Sometimes a company's board or management team will have an obligation to deal with leaks. But Ponemon says the key is having an established policy from the beginning so that everyone -- especially board members -- knows how leaks will be investigated (even when it has to be done stealthily) and what will be expected of them during the investigation. Ponemon says boards need to know the level of scrutiny they will face if policy-violating leaks start sprouting. "Have a code of conduct or credo for the board. It could be tougher or different than other employees -- that they have an oath of confidentially unless it's a violation of the law," he says. "They need to know the rules you live by as an organization or board. If I've agreed to undergo that level of scrutiny as a board member...the board has a right to do investigations that are done properly and ethically."

3. Don't allow the use of unmonitored subcontractors The biggest snag with the HP case was that the private investigation firm engaged by Dunn used subcontractors who then engaged in pretexting and other questionable activities, such as secretly following and photographing a journalist who'd written about HP while she was on vacation with her family.  Experts say organizations need to better oversee the use of subcontractors to investigate or obtain information about employees, job applicants, competitors, and others.

"The issue of not knowing what your private investigators do and how they collect data has created more or less a Pandora's box," Ponemon says. "You better vet the companies and make sure they have creditable credentials. You should ask questions about how they got their data." Again, Ponemon recommends getting board members' or employees' consent when they sign on to be able use public records, for example, in the course of any leak investigation. "Surveillance can be built into systems like examining Internet or email usage, but you need to let people know it's happening. It's always wrong to do it without some form of consent," he says.

4. Don't break the law Finally, organizations should not break the law in order to clamp a leak. But knowing the laws can be tricky. Whereas at the time of the HP board leak investigation pretexting wasn't illegal, a lot of people still consider it unethical. Then there is the plethora of privacy laws worldwide that organizations have to be aware of before doing background checks or private investigations. "Companies need to know the different state laws on privacy and comply with all of them. And internationally these laws are very different," Ponemon says. "You still need to do private investigations when it's warranted, but board members have to be stewards of the organization. [The board] should only be using procedures that are legal and not going beyond public spaces and records."

And Stahlman says companies should be careful not to muzzle the board to limit leaks -- gagging the members could be more damaging than leaks in the long run: "We're no longer in a time period where boards are rubber stamps for management. Independent board members are a critical component in corporate governance today. You want to make sure talented people aren't scared away."

Courtney Macavinta is a Silicon Valley-based business and technology writer. Her articles have appeared in CNET News, Business 2.0, Red Herring, Wired News, and The Washington Post. She also is managing editor of  the online program The Online Family.

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Spam and Viruses
Preparedness
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

"The issue of not knowing what your private investigators do and how they collect data has created more or less a Pandora's box."

-- Larry Ponemon, founder of the Ponemon Institute
Sponsor Tools

White Papers

View More


Resources
Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Patch Management and Security
Playtime: 9 min 28 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.